Latest Activity

New Apache Santuario releases
2 weeks ago

By Colm O hEigeartaigh
Two new versions of the Apache Santuario - XML Security for Java project have been released. Version 2.0.1 (release notes) adds support for a number of previously unsupported algorithms, such as RSA with SHA-224, the RIPE-MD160 digest algorithm, and the RSASSA-PSS signature scheme. It also fixes a performance regression when evaluating signatures, a UTF-8 encoding issue with certain characters, an issue with using GCM algorithms with JDK 8, and a ...
Continue reading →

Apache CXF Fediz 1.1.1 released
1 month ago

By Colm O hEigeartaigh
Apache CXF Fediz 1.1.1 and 1.0.4 have been released. Fediz is a subproject of Apache CXF which implements the WS-Federation Passive Requestor Profile. It allows you to secure web applications using Single Sign-On (SSO) and Claims Based Access Control (CBAC), by redirecting users to an IdP (Identity Provider) for authentication, which in turn leverages the CXF STS (SecurityTokenService). Plugins are provided for the most popular web application ...
Continue reading →

Apache CXF Authentication and Authorization test-cases II
1 month ago

By Colm O hEigeartaigh
In a previous blog post, I covered a number of Apache CXF-based authentication and authorization testcases I uploaded to github. The testcases showed how to authenticate and authorize a SOAP request containing either a SOAP UsernameToken or HTTP Basic Authentication. The options for authentication/authorization backends included Apache DS (ldap), Apache Syncope, Apache Shiro, and Spring Security. In this post, I will cover a number of more advanced ...
Continue reading →

Apache CXF 3.0.0 released
2 months ago

By Colm O hEigeartaigh
Apache CXF 3.0.0 has been released. CXF 3.0.0 picks up Apache Santuario 2.0.0 and WSS4J 2.0.0, and hence all of the new streaming XML/WS-Security functionality available in those releases. Please see the CXF 3.0.0 migration guide for more details about upgrading from an older release. I've also updated the CXF Authentication and Authorization tests in my github repo to use CXF
Continue reading →

OAuth2 - the future of HTTP web services
2 months ago

By Sergey Beryozkin
If the only thing that you've heard about OAuth2 is that it is "insecure" then I'd like to say it is impossible to come up with the generic specification that will ensure the security of your application.
If you have invested some time into analyzing the specific OAuth2 flows and found the conditions under which the security can be breached then it is obvious that a care needs to be applied to whatever OAuth2 flow is deployed depending on how open the ...
Continue reading →

Apache WSS4J 2.0.0 released
2 months ago

By Colm O hEigeartaigh
Apache WSS4J 2.0.0 has been released. This major new release features a new StAX-based implementation of WS-Security, as well as a whole host of other changes and features. I've collected a lot of the information on this blog and created a User Guide for WSS4J as a result, so this is a good place to start to learn about the project and the new features of the
Continue reading →

Apache Santuario - XML Security for Java 2.0.0
2 months ago

By Colm O hEigeartaigh
Apache Santuario - XML Security for Java 2.0.0 has been released, after many months of development work. The main new feature of this release is a new StAX-based API for XML Signature and Encryption. Please see the following page for an overview of this functionality, with some links back to this blog containing configuration and samples. In addition to this new API, the other changes of note in this release are that the JSR-105 API has been removed, ...
Continue reading →

Apache WSS4J 2.0.0 - part VIII
2 months ago

By Colm O hEigeartaigh
This is the eight and final article on Apache WSS4J 2.0.0. In the previous post, I discussed how to use the new streaming WS-Security functionality of Apache WSS4J 2.0.0 via the "action" based configuration approach. In this post, I will show how the new streaming functionality can be used with Apache CXF when using WS-SecurityPolicy. I will also discuss the limitations of the streaming code compared to the older DOM implementation of WS-Security.

1) ...
Continue reading →

Apache WSS4J 2.0.0 - part VII
2 months ago

By Colm O hEigeartaigh
This is the seventh in a series of articles on Apache WSS4J 2.0.0. Up to now I've discussed the new features and changes for the older DOM implementation of WS-Security in WSS4J 2.0.0. This post will look at using the new streaming WS-Security functionality available in WSS4J 2.0.0, when security is configured via the "action"-based approach (as opposed to using WS-SecurityPolicy).

The WSS4J user guide has an article about the different ways to use ...
Continue reading →

New security advisories for Apache CXF
2 months ago

By Colm O hEigeartaigh
Four new security advisories have been disclosed for Apache CXF. They are:
  • CVE-2014-0109: HTML content posted to SOAP endpoint could cause OOM errors
  • CVE-2014-0110: Large invalid content could cause temporary space to fill
  • CVE-2014-0034: The SecurityTokenService accepts certain invalid SAML Tokens as valid
  • CVE-2014-0035: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy
Please see the security advisories page of Apache CXF ...
Continue reading →

XML Security improvements for JAX-RS in Apache CXF 3.0.0
2 months ago

By Colm O hEigeartaigh
Recently on this blog, I've covered the new streaming XML Security functionality that will be available in Apache Santuario - XML Security for Java 2.0.0. For more information about why to use the new streaming implementation, as well as how to use it, please review the following - XML Signature is covered here,  XML Encryption is covered here, and some memory benchmarks are presented here. This article will cover using the new streaming XML ...
Continue reading →

The Tom EE Tribe Time
2 months ago

By Sergey Beryozkin
You do not have to have any specific experience with Tom EE to become a fan. You do not even have to download it. You only have to talk or listen to David Blevins, a long time EE practitioner and the leader of TomiTribe, the real business around Tom EE, to feel excited and realize Tom EE is coming near you if not now but very soon.

We are the fans of TomEE+ of course :-).

You can become the member of the Tom EE(i) Tribe too, play with Tom EE and ...
Continue reading →

Observations about Apache Con NA 2014
2 months ago

By Sergey Beryozkin
It has been a while since I visited Apache Con last time, so I was happy I got a chance to go to Apache Con NA 2014 held in Denver, nice 'mile high' city, April 7-9.

It may be quite a cliche thing to say but the most rewarding thing about visiting Apache Con is about socializing with the fellow team mates, committers and visitors, seeing people you have talked with over the years but not realizing how impressive they look like in the real life :-). ...
Continue reading →

Apache Santuario - XML Security for Java 2.0.0 - part III
2 months ago

By Colm O hEigeartaigh
In the previous couple of posts, I've introduced the new streaming functionality of Apache Santuario - XML Security for Java 2.0.0. The first post focused on XML Signature and the second post focused on XML Encryption. This post will discuss the performance of the new streaming approach. In particular, we will focus on the memory consumption of the DOM vs StAX implementations as the size of the XML tree increases. Both implementations are roughly ...
Continue reading →

Apache Santuario - XML Security for Java 2.0.0 - part II
3 months ago

By Colm O hEigeartaigh
In the previous blog post, I covered the new StAX-based (streaming) XML Signature functionality coming in Apache Santuario - XML Security for Java 2.0.0. In this post, I will focus on the new streaming XML Encryption functionality that will also be available in this release.

1) XML Encryption test-cases

I have uploaded some test-cases to github to show how to use the new StAX-based API. The tests and setup mirror the XML Signature testcases that I ...
Continue reading →

Revisiting JMS performance. Improvements in CXF 3.0.0
3 months ago

By Christian Schneider

Blog post edited by Christian Schneider

Some time ago I did some CXF performance measurements. See How fast is CXF ? - Measuring CXF performance on http, https and jms.

For cxf 3.0.0 I did some massive changes on the JMS transport. So I thought it is a good time to compare cxf 2.x and 3 in JMS performance. My goal was to reach at least the original performance. As my ...


Continue reading →

How fast is CXF ? - Measuring CXF performance on http, https and jms
3 months ago

By Christian Schneider

Blog post edited by Christian Schneider

From time to time people ask how fast is CXF? Of course this is a difficult question as the measuered speed depends very much on the Hardware of the test setup and on the whole definition of the test.
So I am trying to explain how you can do your own tests and what to do to make sure you get clean results.

What should you keep in ...


Continue reading →

Hadoop CDC and processes notification with Apache Falcon, Apache ActiveMQ, and Apache Camel
4 months ago

By Jean-Baptiste Onofré
Some weeks (months ? ;)) ago, I started to work on Apache Falcon. First of all, I would like to thanks all Falcon guys: they are really awesome and do a great job (special thanks to Srikanth, Venkatesh, Swetha). This blog post is a preparation to a set of “recipes documentation” that I will propose
Continue reading →

Apache Santuario - XML Security for Java 2.0.0
4 months ago

By Colm O hEigeartaigh
In recent posts I have described some of the new features of the forthcoming Apache WSS4J 2.0.0 release. In particular, I focused on the changes and improvements to the existing "in-memory" (DOM-based) WS-Security implementation. However, the biggest new feature of WSS4J 2.0.0 will be a new streaming (StAX-based) WS-Security stack. In the next couple of posts, we will examine the core streaming XML Security functionality that will be available in the ...
Continue reading →

Apache Karaf, Cellar, Camel, ActiveMQ monitoring with ELK (ElasticSearch, Logstash, and Kibana)
4 months ago

By Jean-Baptiste Onofré
Apache Karaf, Cellar, Camel, and ActiveMQ provides a lot of information via JMX. More over, another very useful source of information is in the log files. If these two sources are very interesting, for a “real life” monitoring, we need some additional features: The JMX information and log messages should be stored in order to
Continue reading →
More Articles (+10)

Pages

Subscribe to Talend Community Coders aggregator